This is going to be a pretty short summary. If you noticed, we were were a little light on content this week, due to out-of-town travel for client engagements and in-town client meetings. On a personal note, early this week I had a front tire blow out on my car, throwing me airborne and backwards across four lanes of traffic during the afternoon commute. A driver who witnessed the spectacle said it looked like pole vaulting with cars, and could not figure out how I landed on the wheels, backwards or not. Somehow I did not hit anything and walked away unscathed, but truth be told, I am a little shaken up by the experience. Thank you to those of you who sent well wishes, but everything is fine here.
On a more positive note we are gearing up for several exciting events in the new year. New business offerings, a bunch of new stuff on Quant for databases, and a few other surprises as well. But all of this is a lot of work, and it is all going on while we are attending to family matters, so we have decided that this is the last Friday summary of the year. We will have more posts during the holidays, but the frequency will be down until the new year.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- TechTarget video with Adrian talking about email security in the cloud.
- Rich was quoted in Business Week regarding The Coming Cloud Catastrophe.
- SearchSecurity podcast with Adrian on database security strategy.
Favorite Securosis Posts
Other Securosis Posts
Project Quant for Databases:
- Project Quant: Database Security Planning, Part 2 (part 4 overall)
- Project Quant: Database Security Planning (part 3 overall)
Favorite Outside Posts
- Adrian: A classic from Amrit Williams!
- David: Sockstress Vulnerabilities Patched – Nobody really talking about this which is a shame because it probably deserves much more attention. Watch it resurface in 2010.
Top News and Posts
Honestly, most of us did not even open our feed readers this week. But one post was making the rounds:
Blog Comment of the Week
This week’s best comment comes from our own Jeremiah Grossman in response to Adrian’s post on Akamai Implements WAF:
Adrian, good post, some bits to consider… One major reason I found this announcement very important is many large website operators who utilize massive bandwidth simply cannot deploy WAFs for performance/manageability reasons. This is why WAFs are rarely found guarding major traffic points. Akamai is known specifically for their performance capabilities so may be able to scale up WAFs where current industry has not.
Secondly, WAF rules will always leave some vulnerability gaps, hopefully lesser so in the future, but complete coverage isn’t necessarily a must. The vast majority of vulnerabilities (by raw numbers) are syntax in nature (ie SQLi, XSS, etc.) By mitigating these (at least temporarily) organizations may prioritize the business logic flaws for code fixes–gaps in the WAF. These approach helps getting down to zero remotely exploitable bugs MUCH easier. We’ve experienced as much in our customer-base.
“Rule sets are really hard to get right, and must be updated with the same frequency as your web site content. As you add new pages or functions, you are adding and updating rules.”
This implies the WAF is deployed in white list mode, which to my understanding is not how Akamai is going to go. ModSecurity Core Rules are black list style, so would not require updates when content is changed. To be fair the rules would have to be changed as the attacks evolve, which may or may be as fast as website/content code changes.